Added access check for write and manage actions

This commit is contained in:
NGPixel 2017-01-02 23:32:16 -05:00
parent 4625a302f6
commit 9578989b67
7 changed files with 93 additions and 33 deletions

View File

@ -32,7 +32,7 @@
- [x] Facebook
- [x] Access Rights
- [x] View
- [ ] Edit / Create
- [x] Edit / Create
- [x] Background Agent (git sync, cache purge, etc.)
- [x] Caching
- [x] Create Entry
@ -40,7 +40,7 @@
- [x] Prerequisites
- [x] Install
- [ ] Authentication
- [ ] Git
- [x] Git
- [x] Upgrade
- [x] Edit Entry
- [x] Git Management

View File

@ -12,10 +12,21 @@ router.get('/', (req, res) => {
});
router.get('/profile', (req, res) => {
if(res.locals.isGuest) {
return res.render('error-forbidden');
}
res.render('pages/admin/profile', { adminTab: 'profile' });
});
router.get('/stats', (req, res) => {
if(res.locals.isGuest) {
return res.render('error-forbidden');
}
Promise.all([
db.Entry.count(),
db.UplFile.count(),
@ -28,14 +39,27 @@ router.get('/stats', (req, res) => {
}).catch((err) => {
throw err;
});
});
router.get('/users', (req, res) => {
if(!res.locals.rights.manage) {
return res.render('error-forbidden');
}
res.render('pages/admin/users', { adminTab: 'users' });
});
router.get('/settings', (req, res) => {
if(!res.locals.rights.manage) {
return res.render('error-forbidden');
}
res.render('pages/admin/settings', { adminTab: 'settings' });
});
module.exports = router;

View File

@ -13,6 +13,10 @@ var _ = require('lodash');
*/
router.get('/edit/*', (req, res, next) => {
if(!res.locals.rights.write) {
return res.render('error-forbidden');
}
let safePath = entries.parsePath(_.replace(req.path, '/edit', ''));
entries.fetchOriginal(safePath, {
@ -40,6 +44,13 @@ router.get('/edit/*', (req, res, next) => {
router.put('/edit/*', (req, res, next) => {
if(!res.locals.rights.write) {
return res.json({
ok: false,
error: 'Forbidden'
});
}
let safePath = entries.parsePath(_.replace(req.path, '/edit', ''));
entries.update(safePath, req.body.markdown).then(() => {
@ -61,6 +72,10 @@ router.put('/edit/*', (req, res, next) => {
router.get('/create/*', (req, res, next) => {
if(!res.locals.rights.write) {
return res.render('error-forbidden');
}
if(_.some(['create','edit','account','source','history','mk'], (e) => { return _.startsWith(req.path, '/create/' + e); })) {
return res.render('error', {
message: 'You cannot create a document with this name as it is reserved by the system.',
@ -102,6 +117,13 @@ router.get('/create/*', (req, res, next) => {
router.put('/create/*', (req, res, next) => {
if(!res.locals.rights.write) {
return res.json({
ok: false,
error: 'Forbidden'
});
}
let safePath = entries.parsePath(_.replace(req.path, '/create', ''));
entries.create(safePath, req.body.markdown).then(() => {
@ -109,7 +131,7 @@ router.put('/create/*', (req, res, next) => {
ok: true
}) || true;
}).catch((err) => {
res.json({
return res.json({
ok: false,
error: err.message
});
@ -192,6 +214,13 @@ router.get('/*', (req, res, next) => {
*/
router.put('/*', (req, res, next) => {
if(!res.locals.rights.write) {
return res.json({
ok: false,
error: 'Forbidden'
});
}
let safePath = entries.parsePath(req.path);
if(_.isEmpty(req.body.move)) {

View File

@ -89,6 +89,7 @@ app.use(express.static(path.join(ROOTPATH, 'assets')));
var strategy = require(CORE_PATH + 'core-libs/auth')(passport, appconfig);
global.rights = require(CORE_PATH + 'core-libs/rights');
rights.init();
var sessionStore = new sessionMongoStore({
mongooseConnection: db.connection,

View File

@ -41,6 +41,7 @@ block content
a(href='/admin/stats')
i.icon-bar-graph-2
span Stats
if rights.manage
li
a(href='/admin/users')
i.icon-users

View File

@ -6,12 +6,14 @@ block rootNavCenter
block rootNavRight
i.nav-item#notifload
span.nav-item
if rights.write
a.button.is-outlined.btn-move-prompt.is-hidden
i.icon-shuffle
span Move
a.button.is-outlined(href='/' + pageData.meta.path)
i.icon-loader
span Normal View
if rights.write
a.button.is-orange(href='/edit/' + pageData.meta.path)
i.fa.fa-edit
span Edit

View File

@ -11,12 +11,14 @@ mixin tocMenu(ti)
block rootNavRight
i.nav-item#notifload
.nav-item
if rights.write
a.button.is-outlined.btn-move-prompt.is-hidden
i.icon-shuffle
span Move
a.button.is-outlined(href='/source/' + pageData.meta.path)
i.icon-loader
span Source
if rights.write
a.button(href='/edit/' + pageData.meta.path)
i.icon-document-text
span Edit
@ -46,6 +48,7 @@ block content
a(href='/' + pageData.parent.path)
i.icon-reply
span= pageData.parent.title
if !isGuest
li
a(href='/admin')
i.icon-head